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DETAILED ACTION 

1. Claims 1-31 have been examined. 

Specification 

2. The lengthy specification has not been checked to the extent necessary to determine the 
presence of all possible minor errors. Applicant's cooperation is requested in correcting any 
errors of which applicant may become aware in the specification. 

Claim Rejections - 35 USC § 112 

3. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

4. Claims 1-8 are rejected under 35 U.S.C. 112, second paragraph, as being indefinite for 
failing to particularly point out and distinctly claim the subject matter which applicant regards as 
the invention. 

5. Claim 1 recites the limitation "the audit records" in line 5. There is insufficient 
antecedent basis for this limitation in the claim. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

7. Claims 1-31 are rejected under 35 U.S.C. 103(a) as being unpatentable over Hayes U.S. 
Patent No. 6,738,91 1, and further in view of Ko et al. U.S. Patent No. 6,789,202. 
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8. Regarding claims 1, 7 and 9: Hayes has taught a server to receive and store records. (Col 
2 lines,35-52, Fig 1 part 124) 

9. A server for parsing records for determination of an occurrence or condition. (Col 2 lines 
35-39 Fig 1 part 128) 

10. A firewall located between the servers and domain. (Fig 1 part 1 12, Col 2 lines 14-25) 

1 1 . Hayes fails to teach the limitation of a profile server. 

12. However, Ko et al. has taught a server for storing a current status associated with said 
condition, capable of being queried by members of the system to thereto implement an action 
based upon said condition. (Col 3 lines 33-40, Col 4 lines 30-40, Col ) 

13. Within the system of Ko et al. the server is denoted by a global analyzer that provides for 
a means of alert recognition and action determination. The host systems within the domain 
provide for querying of the global analyzer by means of continuous attention to said server for 
any new condition that may require action. These alerts are relayed via local analyzers to the 
local systems that provide for a constant state of monitoring for the change of alert status. 

14. A non-routable protocol to broadcast said condition (Col 3 lines 40-62, Col 4 lines 35-39) 

15. As described per the Ko et al implementation the non-routable protocol is suggested since 
Ko et al. states the network can include any type of communication to couple the servers to the 
network. Therefore, in a given implementation within which a given broadcast was inclusive to 
the network such a non-routable protocol would be a desired functionality and thus implemented. 

16. The system of Ko et al. provides for the functionality of a quick broad response to that 
which is monitored and analyzed by the system of Hayes. Thus one would be motivated to 
implement the system of Ko et al. within the environment of Hayes since the added functionality 
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of relaying such threats is easily communicated across all types of platforms as denoted by Ko et 
al (background Col 1). It would have been obvious to one of ordinary skill in the art at the time 
of the applicant's invention to combine two such systems for the obvious improved functionality 
that is set forth. 

17. Claims 16, 22, 24, and 30 are a computer program and method implementation of claims 
1, 7, and 9 and are so objected to on the same basis as claims 1, 7, and 9. As is obvious to 
anyone of ordinary skill in the art a computer program and method implementation are necessary 
to realize the use of the invention itself. 

18. Regarding claims 2 and 10: domain is defined as a logical grouping of the plurality of 
members which are not necessarily otherwise related (Ko Col 3 lines 48-62) 

19. Claims 17 and 25 are a computer program and method implementation of claims 2 and 10 
and are so objected to on the same basis as claims 2 and 10. As is obvious to anyone of ordinary 
skill in the art a computer program and method implementation are necessary to realize the use 
of the invention itself. 

20. Regarding claims 3 and 11: the logical grouping is based upon a value characteristic and 
a risk tolerance characteristic of each of the plurality of members.( Ko Col 4 lines 1-4) The 
systems within each logical grouping are of different natures and as such each has a value 
characteristic based upon the system type as well as a general risk tolerance that is native to any 
give system. / 

21 . Claims 1 8 and 26 are a computer program and method implementation of claims 3 and 1 1 
and are so objected to on the same basis as claims 2 and 10. As is obvious to anyone of ordinary 
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skill in the art a computer program and method implementation are necessary to realize the use 
of the invention itself. 

22. Regarding Claims 4 and 12: the detection server applies a threat-detection logic in 
conjunction with a pre-established threshold value in identifying the occurrence of the threat 
condition. (Ko Col 4 lines 35-40) Such a function is necessary as it can be seen that all 
information that is collected from a system will not be reacted to as it is not necessary, only 
events that are deemed by the system to be of such a nature to require action are necessitate such 
action as a broadcast by the system. 

23. Claims 19 and 27 are a computer program and method implementation of claims 4 and 
12 and are so objected to on the same basis as claims 4 and 12. As is obvious to anyone of 
ordinary skill in the art a computer program and method implementation are necessary to realize 
the use of the invention itself. 

24. Regarding claims 5 and 13: 

a. Log server IP address (Hayes Col 3 lines 2-5, 60-66) Denoted by Hayes as a Destination 
address this would logically be an IP address 

b. Configuration/Alert refresh frequency for querying profile server for updates. Within the 
combined system this feature is noted as being the same action since the host consistently 
monitors for an alert status from the system and within that same function provides for updating 
the system as a response to a new alert condition within the network. 

c. Device value. (Col 4 lines 5-21) Each system within the network as specified by Ko et al may 
be of a separate nature and thus have a separate device value. 
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d. Threshold value. (Ko Col 4 lines 35-40) As stated above a threshold value exists for 
determining which occurrences necessitate action by the system. 

25. Claims 20 and 28 are a computer program and method implementation of claims 5 and 13 
and are so objected to on the same basis as claims 5 and 13. As is obvious to anyone of ordinary 
skill in the art a computer program and method implementation are necessary to realize the use 
of the invention itself. 

26. Regarding claims 6 and 14: the alert automatically expires, if no additional action is 
taken, after a pre-defined period of time. Actions taken within the system are defined by the 
global analyzer, if an alert is asserted from a host system and the global analyzer deems that 
there is no action necessary then the alert in essence expires within the period of time necessary 
for the decision to be communicated and analyzed. 

27. Claims 21 and 29 are a computer program and method implementation of claims 6 and 14 
and are so objected to on the same basis as claims 6 and 14. As is obvious to anyone of ordinary 
skill in the art a computer program and method implementation are necessary to realize the use 
of the invention itself. 

28. Regarding claims 8 and 15: the occurrence of the threat condition is communicated to a 
second domain for evaluation and possible pre-emptive action.(Ko Col 4 lines 21-49) Within the . 
provided system the global analyzer provides feedback to the plurality of networks to perform 
actions as is necessitated by the policy implemented per the global analyzer for each given 
network so in this manner providing for action within the separate logical groupings. 

29. Claims 23 and 31 are a computer program and method implementation of claims 8 and 15 
and are so objected to on the same basis as claims 8 and 15. As is obvious to anyone of ordinary 
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skill in the art a computer program and method implementation are necessary to realize the use 
of the invention itself. 

Conclusion 

30. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. Applicant is reminded that in amending in response to a rejection of claims, the 
patentable novelty must be clearly shown in view of the state of art disclosed by the references 
cited and the objections made. Applicant must show how the amendments avoid such references 
and objections. See 37 CFR 1.11 1(c). 

3 1 . Inquiries concerning this communication or earlier communications from the examiner 
should be directed to Thomas M. Szymanski who can be reached at (571) 272-8574. The 
examiner's normal working schedule is between the hours 8:00am - 4:30pm (EST), Monday - 
Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse, can be reached at (571) 272-3838. The fax phone number for the 
organization where this application or proceeding is assigned is (703) 872-9306. 

32. Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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